Here's a link in configuring a Policy-Based Routing (PBR) in a Cisco router. I was trying to configure PBR on a customer VRF to test or simulate customer traffic to a new FortiGate firewall. The customer traffic is currently NAT'd to the Cisco ASA firewall.
CE#trace vrf CUST 8.8.8.8 source 192.168.199.1
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.6.9.50 0 msec 0 msec 0 msec
2 216.12.34.5 0 msec 0 msec 4 msec // CISCO ASA HOP
3 72.250.194.1 0 msec 4 msec 0 msec
<OUTPUT TRUNCATED>
9 * * *
10 8.8.8.8 4 msec 8 msec 8 msec
Note you'll need to apply PBR in the "ingress" or LAN interface. You also can't configure a Loopback interface then do a ping test sourced from the said Loopback. The ping test should be sourced from an IP host/subnet located "behind" or a Layer 3 hop away from the router doing the PBR.
You'll also need to consider local traffic flows, i.e. if a host would need to access internal resources such as DNS, then you'll need a deny ACL statement to exclude those IP/subnets.
PE#show access-list 199
Extended IP access list 199
10 deny ip 192.168.199.0 0.0.0.255 10.1.1.0 0.0.0.255 // EXCLUDE INTERNAL DNS TRAFFIC
20 permit ip 192.168.199.0 0.0.0.255 any // PERMIT 192.168.199.0/24 TO INTERNET (NEW FW)
PE#show run | sec route-map MY-PBR // NO NEED TO CONFIGURE: set vrf <VRF>
route-map MY-PBR permit 10
match ip address 199
set ip next-hop 172.20.8.12
PE(config)#interface GigabitEthernet0/0/1 // LAN INTERFACE
PE(config-if)#ip policy route-map MY-PBR
CE#ping vrf CUST 8.8.8.8 source 192.168.199.1 rep 10 // GOOGLE DNS
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.199.1
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 4/8/20 ms
CE#ping vrf CUST 72.163.4.185 source 192.168.199.1 // CISCO.COM
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.163.4.185, timeout is 2 seconds:
Packet sent with a source address of 192.168.199.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
CE#traceroute vrf CUST 8.8.8.8 source 192.168.199.1
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.6.9.50 0 msec 0 msec 0 msec
2 172.20.8.12 msec 4 msec 0 msec // FORTIGATE HOP
3 66.12.34.56 0 msec 0 msec 0 msec
<OUTPUT TRUNCATED>
11 * * *
12 8.8.8.8 4 msec 4 msec 4 msec
The PBR was confirmed working when CE router traceroute hop via the new FortiGate IP address. I also checked the NAT translations via the FortiView Sessions. The other RFC1918 IP subnets were still NAT'd via the Cisco ASA firewall.
